Skip to content

Commit

Permalink
sbom: adjust for sbom mapping changes
Browse files Browse the repository at this point in the history 
The "name" of the sbom components no longer contain the pkgbase
we can use to map vulns. Instead components now have one ore more
properties with the key "msys2:pkgbase" and the value being the pkgbase.
  • Loading branch information
@lazka
lazka committed Dec 23, 2024
1 parent 6b994cc commit 2b9af94
Showing 1 changed file with 9 additions and 4 deletions.
13 changes: 9 additions & 4 deletions app/fetch/cdx.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,12 @@ def parse_cdx(data: bytes) -> dict[str, list[Vulnerability]]:

mapping = {}
for component in cdx["components"]:
name = component["name"]
pkgbases = set()
for property in component.get("properties", []):
if property["name"] == "msys2:pkgbase":
pkgbases.add(property["value"])
bom_ref = component["bom-ref"]
mapping[bom_ref] = name
mapping[bom_ref] = pkgbases

def parse_vuln(vuln: dict) -> Vulnerability:
severity = Severity.UNKNOWN
Expand All @@ -35,8 +38,10 @@ def parse_vuln(vuln: dict) -> Vulnerability:
for vuln in cdx["vulnerabilities"]:
for affected in vuln["affects"]:
bom_ref = affected["ref"]
name = mapping[bom_ref]
vuln_mapping.setdefault(name, []).append(parse_vuln(vuln))
pkgbases = mapping[bom_ref]
parsed_vuln = parse_vuln(vuln)
for pkgbase in pkgbases:
vuln_mapping.setdefault(pkgbase, []).append(parsed_vuln)

return vuln_mapping

Expand Down

0 comments on commit 2b9af94

Please sign in to comment.